COVID Scams and Frauds

Phishing for Coronavirus

Perhaps the most prevalent threat during COVID-19 has been the increase in phishing attempts using coronavirus or related issues as bait. At the end of March, Barracuda Networks researchers found that COVID-19 related phishing attempts had spiked 667% since the end of February.

Of note, the FBI called out fake e-mails from the U.S. Centers for Disease Control and Prevention (CDC) stating:

“Watch out for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or other organizations claiming to offer information on the virus. Do not click links or open attachments you do not recognize.

Fraudsters can use links in emails to deliver malware to your computer to steal personal information or to lock your computer and demand payment. Be wary of websites and apps claiming to track COVID-19 cases worldwide. Criminals are using malicious websites to infect and lock devices until payment is received.”

Other phishing scams that community banks should warn employees and customers to look out for include:

  • Orders or directives appearing to come from local governments. Be particularly suspicious of anything requiring you to provide personal information in exchange for information related to your government’s response to COVID-19. They are your government; they have your contact information already.
  • Emails offering PPE. This ties into advance fee scams. Criminals have sent out hundreds of thousands of emails to companies and individuals offering masks and other forms of PPE, especially now that some states are requiring personal protective equipment (PPE) in public. Be skeptical of anyone who is not a known distributor you have worked with in the past.
  • Emails offering early access to Economic Impact Payments (EIPs). Another common theme has been offering advancements on the $1,200 stimulus checks being sent by the federal government. Of course, there is no advance option and the victims’ computers are loaded with malware instead.

ICBA always encourages community banks to tell their employees and customers to think before they click. Especially during chaotic times such as these, slow down and thoroughly examine every email you get.

If it seems too good to be true, it probably is. Another important step you can take is to never open attachments from senders you do not know. Community banks may also want to reach out to their own customers through more traditional means and let them know what they will and will not ask from them.

Additional resources for community banks:

Advance Fee Scams

Advance Fee Scam

With the demand for personal protective equipment, or PPE, growing daily, advance fee scams have become increasingly popular for criminals looking to take advantage of the pandemic. Advance fee scams occur when businesses or organizations pay for goods up front, but nothing is ever shipped to the buyer. By the time the buyer becomes suspicious, the funds have already been transferred and are unrecoverable.

Unfortunately, the need in some states due to new legal requirements, has driven businesses to obtain PPE by any means necessary. In some instances, this means working with dealers they have not worked with in the past or dealers who do not have experience selling the goods they are looking to obtain.

Warning signs that community banks should pay attention to while attempting to procure PPE include:

  • A seller or broker initiating the contact with the buyer, especially from a difficult to verify channel.
  • The seller or broker is not an entity with which the buyer has an existing relationship.
  • The seller or broker cannot clearly explain the origin of the items or how they are available, given current demand.
  • The potential buyer cannot verify with the product manufacturer that the seller is a legitimate distributor or vendor of the product.
  • Unexplained urgency to transfer funds or a last-minute change in previously established wiring instructions.

Coronavirus may have thrown your community bank’s supply chain for a loop, but that does not mean your bank should rush into new agreements. Carefully consider and vet new suppliers, especially if they seem too good to be true.

Additional resources for community banks:

Attacks on New Technology


Because of the pandemic, community banks have quickly adopted or increased the use of technology to enable their new or expanded remote workforce to function as well as possible. Virtual Private Networks (VPNs), teleconferencing technologies, and other productivity applications are now considered critical to business functions.

These newly adopted or expanded technologies, including VPNs, have become attractive targets for malicious actors looking to find a weak link. While VPNs create a more secure remote work environment, vulnerabilities do exist, and they are targeted.

As such, community banks should take the following steps to ensure all technology being used for remote work is as secure as possible:

  • Update VPNs, network infrastructure devices, and devices being used to remote into work environments, with the latest patches, firmware, and security configurations.
  • Ensure IT security personnel are prepared to ramp up the following remote access cybersecurity tasks: log review, attack detection, and incident response and recovery. Per the National Institute of Standards and Technology (NIST) Special Publication 800-46 v.2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, these tasks should be documented in the configuration management policy.
  • Implement multi-factor authentication (MFA) on all VPN connections to increase security. If MFA is not implemented, require teleworkers to use strong passwords.
  • Ensure IT security personnel test VPN limitations to prepare for mass usage and, if possible, implement modifications, such as rate limiting, to prioritize users that will require higher bandwidths.

Additional resources for community banks:

Contact Us